[PacketFence-users] oauth2

Discussion:

lists

2017-05-01 18:14:20 UTC

Hi,

Last question for today! :-)

We are running RedHat's Keycloak, a saml / openid connect / oauth2 IDP,
and would like to use OpenID Connect to authenticate our users. We have
noticed that packetfence has SAML auth support, true, but SAML is so
much harder to setup than OpenID Connect.

And since packetfence supports all kinds of OAuth2 clients... is there a
way to configure a packetfence usersource aganist a generic OAuth2
server, such as the RedHat Keycloak IDP?

Best regards,
MJ

Antoine Amacher

2017-05-01 18:26:16 UTC

Permalink

Hello MJ,

We do not have a 'generic' OAuth2 source, as each OAuth2 has is own API,
parameters to authorize, get the token are different, sometimes it
require a scope, sometimes a token parameter, sometimes none.

Create a new OAuth source is not too complicated if we have a test
account and adequate documentation, but will require a bit of code. I do
like the idea of generic, but I am not sure it will be that generic
because of arguments stated earlier.

The best option here seems to develop a new source for Keycloak OpenID,
unless we rework the way how OAuth2 sources are coded.

Thanks

Post by lists
Hi,
Last question for today! :-)
We are running RedHat's Keycloak, a saml / openid connect / oauth2 IDP,
and would like to use OpenID Connect to authenticate our users. We have
noticed that packetfence has SAML auth support, true, but SAML is so
much harder to setup than OpenID Connect.
And since packetfence supports all kinds of OAuth2 clients... is there a
way to configure a packetfence usersource aganist a generic OAuth2
server, such as the RedHat Keycloak IDP?
Best regards,
MJ
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

lists

2017-05-01 19:15:17 UTC

Permalink

Hi Antoine,

Thanks for your reply, also on this OpenID Connect subject.

There is a small wordpress addon that does exactly that:
https://github.com/daggerhart/openid-connect-generic

The only things you needed to configure it, are your own OpenID Connect
server specifics, such as issuer, authorization_endpoint,
token_endpoint, etc, etc.

And those are usually in the docs of whatever product you like.

Using that plugin, it was actually very easy to configure wordpress
against the keycloak openid connect. (in fact: MUCH easier than SAML!)

But I will try if I can concoct a keycloak-specific new source myself,
as we have sponsored quite some projects lately, and our funding is not
endless... ;-)

MJ

Post by Antoine Amacher
Hello MJ,
We do not have a 'generic' OAuth2 source, as each OAuth2 has is own API,
parameters to authorize, get the token are different, sometimes it
require a scope, sometimes a token parameter, sometimes none.
Create a new OAuth source is not too complicated if we have a test
account and adequate documentation, but will require a bit of code. I do
like the idea of generic, but I am not sure it will be that generic
because of arguments stated earlier.
The best option here seems to develop a new source for Keycloak OpenID,
unless we rework the way how OAuth2 sources are coded.

Antoine Amacher

2017-05-01 19:30:44 UTC

Permalink

MJ,

For the source, I'll advise you to take the twitter one as an example
which is simple. If you need help to develop it, you can contact us at
***@inverse.ca.

We could develop it if OpenID is something used a lot, and if there is a
common interest into it.

Thanks

Post by lists
Hi Antoine,
Thanks for your reply, also on this OpenID Connect subject.
https://github.com/daggerhart/openid-connect-generic
The only things you needed to configure it, are your own OpenID Connect
server specifics, such as issuer, authorization_endpoint,
token_endpoint, etc, etc.
And those are usually in the docs of whatever product you like.
Using that plugin, it was actually very easy to configure wordpress
against the keycloak openid connect. (in fact: MUCH easier than SAML!)
But I will try if I can concoct a keycloak-specific new source myself,
as we have sponsored quite some projects lately, and our funding is not
endless... ;-)
MJ

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

2017-05-01 20:11:19 UTC

Permalink

Post by Antoine Amacher
We could develop it if OpenID is something used a lot, and if there is a
common interest into it.

So...list...

Anyone else here who would like to see a generic OpenID Connect auth
source in packetfence?

I'd be wiling to sponsor with an inverse support point, if we could
gather some more, perhaps that could help too.

Unless I am the only one here, liking OpenID Connect so much more than
SAML2....?

MJ